1 / 22

Overview of eduroam developments in Europe

Overview of eduroam developments in Europe. Klaas Wierenga Klaas.Wierenga@surfnet.nl APAN Singapore, July 20 2006. Content. Current status of eduroam in Europe The European eduroam federation eduroam-ng Summary. Current status. eduroam members.

lavina
Download Presentation

Overview of eduroam developments in Europe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of eduroam developments in Europe Klaas Wierenga Klaas.Wierenga@surfnet.nl APAN Singapore, July 20 2006

  2. Content • Current status of eduroam in Europe • The European eduroam federation • eduroam-ng • Summary

  3. Current status

  4. eduroam members • Reaching 100% coverage in terms of countries • Reaching 500 connected institutions • Moving to a full service means: • Management and monitoring • Formal agreements • Scalability Green= member, Blue = in process of joining

  5. The European eduroam federation

  6. The European eduroam policy • Mutual access • Home institutions are/remain responsible for their users abroad • Members are European NRENs • Members guarantee required security levels by their participants • Members promote eduroam in their countries • European eduroam may peer with other regions

  7. National policy • Mutual access • Members are connected institutions • Home institution is/remains responsible for its users behaviour. • Home institution is responsible for proper user management • Home and visited institution must keep sufficient logdata • Appropriate security levels

  8. eduroam-NG

  9. eduroam-NG: Requirements • GEANT2 roaming facility = eduroam-ng • Downward compatible with existing eduroam (RADIUS, 802.1X) • Intended key improvements of eduroam-ng • More formally defined form of federation • More reliable • More scalable (dynamic trust establishment) Requirements as taken from GEANT2 deliverable DJ5.1.2: “Documentation on the GEANT2 Roaming Requirements”

  10. Dynamic Trust Establishment • Dynamic Trust Establishment and Scalability requirements typically translate into • Direct connections between parties (peers) involved in handling an authentication / authorization request • No RADIUS tree traversing as with current eduroam setup • But, peers do not have a direct formal relationship • Connection setup between peers consists of two steps • Peer discovery (Which server handles authentication / authorization requests for the user’s realm?) • Confirm that peer (or user realm) is part of roaming domain (Is the user part of the community that shares resources?)

  11. ‘Peer Discovery’ and ‘Roaming Domain Participation’ Common setup for protocols • Peer discovery • DNS based • Confirmation of participation in roaming domain • Public Key Infrastructure (PKI) based • DNS based (using secure extensions)

  12. Protocol architectures for roaming • 3 architectures have been analysed: • Diameter. IETF defined this as successor for RADIUS • P2P Radius • Trust based on dnssec (radius-dnssec) • Trust based on PKI (RadSec) • Diameter: no widely available implementation • DNSsec: idem • RadSec: not widely deployed but: • Supported by Radiator • Strong interest in FreeRADIUS community

  13. RadSec / DNSROAM • RADIUS extension ‘borrrowing’ the goodies from Diameter • Usage of TCP • Usage of TLS • Trust based on preconfigured set of roaming CA’s (PKI) • Supports migration scenarios • Either static links: RadSec • Or dynamic through DNS: DNSROAM

  14. Deployment scenarios in Geant2 • We tested the RadSec approach • Multiple deployment scenarios have been studied. We describe the three that are tested: • Fully hierarchical • Meshed top-level • Fully meshed

  15. Fully hierarchical

  16. Meshed top-level

  17. Fully meshed

  18. Test and evaluation results • Test setup • 6 NRENs and a number of institutions participated (SURFnet, CESNET, ISTF, TELIN, ARNES, ACAD, UNINETT, RESTENA) • Each scenario was tried-out between a couple of sites, and subsequently extended to a larger group • Tested a number of cases • Authentication related (known/unknown user, wrong credentials) • PKI related (unknown CA, multiple CA, Revocation, mismatch between peer name and CN) • DNS related (NAPTR/SRV lookup failure, fallback ) • Configuration related (CA cert not installed, loops) • Connectivity related (peer unreachable) • Performance related (DNS overhead)

  19. Test results • Hierarchical scenario • TCP/TLS was preferred over current RADIUS (better failure detection) • Most appreciated scenario! (Rating: 8.2 of 10) • Meshed top-level (institutions were statically configured) • Test used a centralized zone (test.eduroam.org) • 2/3 say ‘DNS-based roaming is a GOOD thing’ • 1/3: Buggy DNS-servers, DNS not secure • Rating: 6.2 of 10 • Fully meshed (no toplevel CA!) • PKI management wasn’t easy (re-distribution issues and problems with revocation lists) • Main issue: Auth Server has to be opened to the whole world (even though certificates are checked) • Score: 6.8 out of 10

  20. Summary

  21. Summary • eduroam is widely deployed (at the country level) • Now moving to a ‘real’ European federation • We have to work out the relation with other regions (like yours!) • It is possible to replace the static Radius hierarchy with a similar one, using RadSec. RadSec proved to be sufficiently stable. • Dynamic peer discovery needs more testing and consideration. • So eduroam is here, is here to stay, so the motto remains:

  22. Join….

More Related